US9130822B2 - Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems - Google Patents

Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems Download PDF

Info

Publication number
US9130822B2
US9130822B2 US14/070,151 US201314070151A US9130822B2 US 9130822 B2 US9130822 B2 US 9130822B2 US 201314070151 A US201314070151 A US 201314070151A US 9130822 B2 US9130822 B2 US 9130822B2
Authority
US
United States
Prior art keywords
network message
destination
application
reaching
moderation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
US14/070,151
Other versions
US20140059153A1 (en
Inventor
Cameron Blair Cooper
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Proofpoint Inc
Original Assignee
Socialware Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US14/070,151 priority Critical patent/US9130822B2/en
Application filed by Socialware Inc filed Critical Socialware Inc
Assigned to SOCIALWARE, INC. reassignment SOCIALWARE, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: COOPER, CAMERON BLAIR
Publication of US20140059153A1 publication Critical patent/US20140059153A1/en
Priority to US14/823,786 priority patent/US10230593B2/en
Publication of US9130822B2 publication Critical patent/US9130822B2/en
Application granted granted Critical
Assigned to PROOFPOINT, INC. reassignment PROOFPOINT, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SOCIALWARE, INC.
Priority to US15/420,854 priority patent/US10404553B2/en
Priority to US15/420,838 priority patent/US10511496B2/en
Assigned to GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT reassignment GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT SECOND LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT Assignors: PROOFPOINT, INC.
Assigned to GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT reassignment GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT FIRST LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT Assignors: PROOFPOINT, INC.
Assigned to PROOFPOINT, INC. reassignment PROOFPOINT, INC. RELEASE OF SECOND LIEN SECURITY INTEREST IN INTELLECTUAL PROPERTY Assignors: GOLDMAN SACHS BANK USA, AS AGENT
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • G06F16/9535Search customisation based on user profiles and personalisation
    • G06F17/30867
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking
    • H04L51/32
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/52User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail for supporting social networking services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/50Service provisioning or reconfiguring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04W4/001

Definitions

  • This disclosure relates generally to web applications and more particularly to social networking applications. Even more particularly, this disclosure relates to a system, method, and computer program product comprising instructions translatable by a computer to intercept, quarantine, and moderate communications internal to systems that are beyond the control of computing environments where embodiments disclosed herein may reside.
  • the main types of social networking services provided by social networking sites are those which contain directories or categories, a means to connect with friends, and a means to recommend other individuals.
  • a social networking site may allow a user to identify an individual as a friend, a former classmate, or an uncle.
  • the social networking site may recommend to the user another individual as a potential friend and also provide a personalized web page for the user to interact with those that the user has identified as “friends” via the social networking site.
  • Some social networking sites provide functions in the form of web applications for members to create user profiles, send messages to other members who are their “friends,” and personalize web pages available to friends and/or the general public. Through these web applications, social networking sites can connect people at low cost and very high efficiency. Some entrepreneurs and businesses looking to expand their contact base have recognized these benefits and are utilizing some social networking sites as a customer relationship management tool for selling their products and services.
  • Uncontrolled web applications As they are not controlled by the business or entity that operates the computing environment from where user requests for access are generated. Uncontrolled web applications or software systems are collectively referred to herein as uncontrolled systems. Uncontrolled systems may come in various forms. One example of an uncontrolled system may be an application running on a social networking site such as Facebook.
  • web scanning systems may be able to monitor network traffic and detect certain words or patterns and block a request to a social networking site, they have no method to block the request elegantly, without breaking the user experience. Moreover, conventional web scanning systems have no means of resubmitting the request if it is approved by a moderator.
  • Embodiments disclosed herein provide a system, method, and computer program programming comprising one or more non-transitory computer readable storage media storing computer instructions for intercepting, quarantine, and moderating internal communications of uncontrolled systems.
  • the functionality disclosed herein can be implemented as a middleware or proxy within or outside an enterprise computing environment, a private network, or the like.
  • a method for intercepting, quarantine, and moderating internal communications of an uncontrolled system may comprise loading an instance of the uncontrolled system on a device associated with a user in a computing environment.
  • the uncontrolled system may reside at a server computer external to and independent and separate from the computing environment.
  • the user may type in a message as usual.
  • An instance of the uncontrolled system running on the user's device may prepare a request containing the message.
  • Some embodiments disclosed herein may determine that the message is subject to moderation, intercept the request, and place the message in a moderation queue. This determination may be based on the destination of the request as well the type of the message.
  • a computer may perform the interception and put the original request in a moderation queue.
  • the moderation queue may reside within or outside of the computing environment.
  • a proxy or middleware server computer may perform all the functions disclosed herein, including interception, quarantine, moderation, resubmission, and so on.
  • moderation may comprise automated moderation, manual moderation, or a combination thereof.
  • intercepted requests may be blocked or allowed to be resubmitted.
  • some embodiments may reconstruct the original request. If a session corresponding to the original request has since expired, some embodiments may log in for the user and resubmit the reconstructed request. Some embodiments may simply wait for the next time the user logs in to resubmit the reconstructed request.
  • Some embodiments may comprise a plurality of application programming interfaces (APIs), each of which is specific to an uncontrolled system, and may communicate the reconstructed request with the uncontrolled system via a corresponding API.
  • APIs application programming interfaces
  • embodiments disclosed herein have the ability to intercept, quarantine, and moderate communications internal to uncontrolled systems, it may not be necessary for an entity operating a private network to block its users from accessing such uncontrolled systems entirely. In this way, it is possible for entities and enterprises alike to gain benefits that may come from embracing social networking sites without risking the downsides of allowing their users access to uncontrolled web applications.
  • FIG. 1 depicts a simplified diagrammatic representation of a prior art architecture in which users in a private network may access social networking sites via the Internet;
  • FIG. 2 depicts a diagrammatic representation of an exemplary computer system comprising at least one computer readable storage medium storing computer instructions implementing an embodiment disclosed herein;
  • FIG. 3 depicts a simplified diagrammatic representation of a prior art architecture in which a piece of code from an uncontrolled application or software system such as one that is associated with a social networking site may run on a user and conduct internal communications with the uncontrolled system;
  • FIG. 4 depicts a simplified diagrammatic representation of a system architecture in which the internal communication of an uncontrolled system is intercepted by an embodiment disclosed herein;
  • FIG. 5 depicts a flow diagram illustrating an example of one embodiment of a method for intercepting, quarantine, and moderating internal communications of an uncontrolled system
  • FIG. 6 depicts a diagrammatic representation of a system architecture in which the internal communication of an uncontrolled system is intercepted by an embodiment disclosed herein;
  • FIG. 7 depicts a diagrammatic representation of another system architecture in which the internal communication of an uncontrolled system is intercepted by an embodiment disclosed herein;
  • FIG. 8 depicts a diagrammatic representation of a prior art architecture in which the internal communication of an uncontrolled system is not intercepted but is moderated internally.
  • Computer-readable storage media encompasses all types of data storage media that can be read by a processor. Examples of computer-readable storage media can include random access memories, read-only memories, hard drives, data cartridges, magnetic tapes, floppy diskettes, flash memory drives, optical data storage devices, compact-disc read-only memories, and other appropriate computer memories and data storage devices.
  • the terms “comprises,” “comprising,” “includes,” “including,” “has,” “having,” or any other variation thereof, are intended to cover a non-exclusive inclusion.
  • a process, product, article, or apparatus that comprises a list of elements is not necessarily limited only those elements but may include other elements not expressly listed or inherent to such process, product, article, or apparatus.
  • “or” refers to an inclusive or and not to an exclusive or. For example, a condition A or B is satisfied by any one of the following: A is true (or present) and B is false (or not present), A is false (or not present) and B is true (or present), and both A and B are true (or present).
  • any examples or illustrations given herein are not to be regarded in any way as restrictions on, limits to, or express definitions of, any term or terms with which they are utilized. Instead these examples or illustrations are to be regarded as being described with respect to one particular embodiment and as illustrative only. Those of ordinary skill in the art will appreciate that any term or terms with which these examples or illustrations are utilized encompass other embodiments as well as implementations and adaptations thereof which may or may not be given therewith or elsewhere in the specification and all such embodiments are intended to be included within the scope of that term or terms. Language designating such non-limiting examples and illustrations includes, but is not limited to: “for example,” “for instance,” “e.g.,” “in one embodiment,” and the like.
  • FIG. 1 depicts a simplified diagrammatic example of how traditionally an entity or organization may monitor and protect network traffic to and from social networking sites.
  • Company A may own and operate company network 140 .
  • Examples of company network 140 may include a local area network (LAN), an intranet—a private computer network within the organization, etc.
  • User 130 of company network 140 may access Internet 110 via proxy 150 .
  • Social networking sites 120 may be generally accessible by users connected to Internet 110 .
  • social networks 120 may include, but are not limited to, Facebook®, LinkedIn®, Twitter®, MySpace®, Friendster®, Multiply®, Orkut®, Cyworld®, Hi5®, and others. All trademarks, service marks, and logos used herein are properties of their respective companies.
  • proxy 150 of company network 140 may monitor and block all network traffic to and from one or more social networking sites 120 by way of a firewall implemented on proxy 150 .
  • a firewall may be implemented as a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications.
  • a firewall may be implemented as a device or a set of devices configured to permit, deny, encrypt, decrypt, or proxy all incoming and outgoing network traffic between different domains based upon a set of rules and other criteria.
  • Firewalls may be implemented in hardware, software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. Generally, all messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
  • Proxy 150 represents a server computer that acts as an intermediary for requests from user 130 seeking resources from other servers, including those that reside outside of network 140 .
  • user 130 is a representation of a typical user in company network 140 and may include software and hardware utilized by the user to access company network 140 and Internet 110 .
  • FIG. 2 depicts an exemplary system within a computing environment where embodiments disclosed herein may be implemented.
  • Components 202 of computing system 200 may include, but are not limited to, processing unit 204 , system memory 206 , and system bus 208 .
  • System bus 208 may couple various system components including system memory 206 to processing unit 204 .
  • System bus 208 may comprise any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures.
  • Computing system 200 may include a variety of computer readable storage media.
  • Computer readable storage media can be any available storage media that can be accessed by computing system 200 .
  • Computer readable storage media may comprise volatile and nonvolatile storage media and removable and non-removable storage media.
  • Computer readable storage media storing computer instructions implementing embodiments disclosed herein may be manufactured by known methods and materials and may rely on known programming languages and techniques for storage of information thereon.
  • Examples of computer readable storage media may include, but are not limited to, random access memory (RAM), read only memory (ROM), EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by computing system 200 .
  • RAM random access memory
  • ROM read only memory
  • EEPROM electrically erasable programmable read-only memory
  • flash memory or other memory technology
  • CD-ROM compact discs
  • DVD digital versatile disks
  • magnetic cassettes magnetic tape
  • magnetic disk storage magnetic disk storage devices
  • system memory 206 includes ROM 210 and RAM 212 .
  • ROM 210 may store basic input/output system 214 (BIOS), containing the basic routines that help to transfer information between elements within computing system 200 , such as those used during start-up.
  • BIOS basic input/output system
  • RAM 212 may store data and/or program modules that are immediately accessible to and/or presently being operated on by processing unit 204 .
  • FIG. 2 shows RAM 212 storing operating system 216 , application programs 218 , other program modules 220 , and program data 222 .
  • Computing system 200 may also include other removable/non-removable, volatile/nonvolatile computer readable storage media that can be employed to store computer instructions implementing some embodiments disclosed herein.
  • computing system 200 may include hard disk drive 224 , a magnetic disk drive 226 , and/or optical disk drive 230 .
  • Hard drive (HD) 224 may read from and write to non-removable, nonvolatile magnetic media.
  • Disk drive 226 may read from and write to removable, nonvolatile magnetic disk 228 .
  • Optical disk drive 230 may read from and write to a removable, nonvolatile optical disk 232 such as a CD ROM or other optical medium.
  • hard drive 224 may be connected to system bus 208 via a non-removable memory interface, such as interface 234
  • magnetic disk drive 226 and optical disk drive 230 may be connected to system bus 208 via a removable memory interface, such as interface 238 .
  • the drives and their associated computer readable storage media may provide storage of computer readable instructions, data structures, program modules and other data for computing system 200 .
  • hard disk drive 224 may store operating system 268 , application programs 270 , other program modules 272 and program data 274 . Note that these components can either be the same as or different from operating system 216 , application programs 218 , other program modules 220 , and program data 222 .
  • a user may enter commands and information into computing system 200 via input devices such as tablet or electronic digitizer 240 , microphone 242 , keyboard 244 , and pointing device 246 .
  • Pointing device 246 may comprise a mouse, a trackball, and/or a touch pad.
  • processing unit 204 may connect user input interface 248 .
  • User input interface 248 may be coupled to system bus 208 or via other interface and bus structures, such as a parallel port, a game port, or a universal serial bus (USB).
  • USB universal serial bus
  • Monitor or other type of display device 250 may be connected to system bus 208 via an interface, such as a video interface 252 .
  • Monitor 250 may also be integrated with a touch-screen panel or the like. Note that the monitor and/or touch screen panel can be physically coupled to a housing in which computing system 200 is incorporated, such as in a tablet-type personal computer.
  • Computing system 200 may comprise additional peripheral output devices such as speakers 256 and printer 254 , which may be connected via an output peripheral interface 258 or the like.
  • Computing system 200 may operate in a networked environment and may have logical connections to one or more remote computers, such as remote computing system 260 .
  • Remote computing system 260 may be a personal computer, a server, a router, a network PC, a peer device or other common network node. Although only a memory storage device 262 is shown in FIG. 2 , remote computing system 260 may include many or all of the components and features described above with reference to computing system 200 .
  • Logical connections between computing system 200 and remote computing system 260 may include local area network (LAN) 264 , connecting through network interface 276 , and wide area network (WAN) 266 , connecting via modem 278 . Additional networks may also be included.
  • LAN local area network
  • WAN wide area network
  • Embodiments disclosed herein can be implemented to run on various platforms operating under system software such as IBM OS/2®, Linux®, UNIX®, Microsoft Windows®, Apple Mac OSX® and others in development or commercially available.
  • the functionality disclosed herein may be embodied directly in hardware, in a software module executed by a processor or in any combination of the two.
  • software operations may be executed, in part or wholly, by one or more servers or a client's system, via hardware, software module or any combination of the two.
  • a software module (program or executable) may reside on one or more computer readable storage media described above.
  • an exemplary storage medium is coupled to the processor such that the processor can read information from, and write information to, the storage medium.
  • the storage medium may be integral to the processor.
  • the processor and the storage medium may also reside in an application specific integrated circuit (ASIC).
  • the bus may be an optical or conventional bus operating pursuant to various protocols that are known to those skilled in the art.
  • computer instructions implementing some embodiments disclosed herein may comprise lines of compiled C ++ , Java, or other language code.
  • Other architectures may be used.
  • various software components may reside on any single computer or on any combination of separate computers.
  • some or all of the software components may reside on the same computer.
  • the functions of any of the systems and methods may be performed by a single computer.
  • different computers than are shown in FIG. 2 may perform those functions.
  • a computer program or its software components with such code may be embodied in more than one computer readable medium in more than one computer.
  • FIG. 3 depicts a simplified diagrammatic representation of a prior art architecture in which a piece of code such as JavaScript 330 from uncontrolled system 320 may run on a device associated with user 130 and conduct internal communications 340 with uncontrolled system 320 .
  • Communications 340 are considered internal to uncontrolled system 320 because code 330 , acting as the user agent for uncontrolled system 320 , is typically not controllable by administrator(s) of the computing environment from where user 130 accesses uncontrolled system 320 .
  • code 330 of uncontrolled system 320 is responsible for communications 340 .
  • This is in contrast to the generic network traffic described above with reference to FIG. 1 where a browser application running on a device associated with user 130 usually acts as the user agent and is generally responsible for preparing a request and submitting the request to a network site external to computing environment 140 .
  • FIG. 4 depicts a simplified diagrammatic representation of system architecture 400 in which internal communications 340 between code 330 and uncontrolled system 320 may be intercepted by middleware 310 .
  • internal communications 340 may comprise an application layer protocol request.
  • such a request may be a Hypertext Transfer Protocol (http) request.
  • middleware 310 may intercept internal communications 340 and put it through a moderation flow.
  • moderation flow may be fully or semi-automated.
  • the moderation may block communications 340 or may allow communications 340 to be resubmitted to uncontrolled system 320 via reconstructed request 440 .
  • FIG. 5 depicts a flow diagram illustrating an example of one embodiment of a method for intercepting, quarantine, and moderating internal communications of an uncontrolled system.
  • method 500 may comprise loading a piece of code or an instance of an uncontrolled application on a device associated with a user in a computing environment (step 501 ) and monitoring traffic between the code running on the user device and the uncontrolled application running on an external site such as a social networking site (step 503 ).
  • the social networking site may be operated by Twitter and the code may comprise Twitter JavaScript.
  • code 330 may formulate a request containing the message.
  • the Twitter JavaScript may formulate an http request containing the tweet for posting to the user's twitter account maintained by Twitter.
  • Proxy server 150 residing in computing environment 140 or middleware 310 of system 600 may determine whether the request from user 130 is destined for uncontrolled system 320 (step 511 ). If the request from user 130 is not destined for uncontrolled system 320 , the request is processed normally and flow 500 returns to step 503 to continue to monitor internal communications 340 .
  • proxy server 150 or middleware 310 may determine whether the request is subject to interception (step 513 ) based on the destination of the request as well as the type of message in the request. If the request from user 130 is not subject to interception, proxy server 150 or middleware 310 may forward the request to its destination (step 521 ). If the request from user 130 is subject to interception, proxy server 150 or middleware 310 may put the request through a moderation flow (step 505 ). In some embodiments, this involves placing a job corresponding to the request in a moderation queue. In some embodiments, moderation queue 650 may reside within computing environment 140 . In some embodiments, moderation queue 610 may reside outside of computing environment 140 .
  • method 500 may further comprise performing moderation on one or more jobs in the moderation queue (step 507 ).
  • middleware 310 may comprise a plurality of software tools 620 , including moderation 660 .
  • moderation 660 may be automated or semi-automated.
  • method 500 may further comprise determining whether to block a request or allow it to be resubmitted to uncontrolled system 320 (step 514 ). In some embodiments, if the request is not approved via moderation 660 , the request is blocked (step 523 ). In some embodiments, if the request is approved, method 500 may further comprise performing resubmission of the approved request (step 509 ). In some embodiments, this may involve reconstructing the original, intercepted request.
  • Some embodiments may log in for the user and resubmit the reconstructed request. Some embodiments may simply wait for the next time the user logs in to resubmit the reconstructed request. Some embodiments may comprise a plurality of application programming interfaces (APIs), each of which is specific to an uncontrolled system, and may communicate the reconstructed request with the uncontrolled system via a corresponding API.
  • APIs application programming interfaces
  • FIG. 6 depicts a diagrammatic representation of a system architecture in which the internal communication of an uncontrolled system is intercepted by an embodiment disclosed herein.
  • FIG. 6 illustrates how an entity or organization implementing an embodiment disclosed herein may monitor and protect network traffic to and from social networking sites.
  • Company B may own and operate an example uncontrolled system referred to hereinafter as social networking site 320 independent of Company A which owns and operates enterprise computing environment 140 , also referred to herein as company network 140 , private network 140 , internal network 140 or simply network 140 .
  • Company A may represent an entity.
  • Company B may comprise hardware, software, infrastructure, and people necessary to operate and maintain social networking site 320 .
  • Social networking site 320 may be implemented in a manner known to those skilled in the art.
  • a user may log in to social networking site 320 via a browser application or via a mobile application running on the user's wired or wireless computing device.
  • Examples of a wireless computing device may include, but are not limited to, a laptop computer, a personal digital assistant (PDA), a mobile phone, an Internet enabled mobile device, and so on.
  • PDA personal digital assistant
  • proxy 150 resides within network 140 and is bi-directionally coupled to end user 130 via a wired or wireless internal network connection. Proxy 150 may be communicatively coupled to social network 320 over Internet 110 . In some embodiments, proxy 150 may function as a gateway or intermediary between end user 130 and social networking site 320 . More specifically, proxy 150 may be responsible for receiving all incoming requests from and sending corresponding responses to end user 130 . As illustrated in FIG.
  • proxy 150 may operate to receive a user request from user 130 (step 503 ), determine whether that request contains a destination pertaining to social networking site 320 (step 511 ), and either pass the request from user 130 that is destined to social networking site 320 to middleware 310 for processing (step 513 ) or pass the request to the destination (step 521 ) if it is not destined to social networking site 320 .
  • middleware 310 may operate to stop these messages and send them through a moderation process (step 507 ). If a message is to be blocked (step 523 ), middleware 310 may simulate a response to the user device from where the message is originated. The simulated response may resemble a response from social networking site 320 , with an indication that the user's message has been blocked.
  • An example of such a response may be a web page that is structured and assembled by middleware 310 on-the-fly, with at least one feature-level modification to inform the user that the message has been blocked.
  • the simulated response generated by middleware 310 may be substantially similar to a corresponding response generated by social networking site 320 .
  • Readers are directed to co-pending U.S. patent application Ser. No. 12/785,294, filed May 21, 2010, entitled “METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT FOR STRUCTURING UNSTRUCTURED DATA ORIGINATING FROM UNCONTROLLED WEB APPLICATION,” for examples of structuring unstructured data originating from an uncontrolled web application and co-pending U.S. patent application Ser. No.
  • features/subfeatures of an uncontrolled application refer to software components/subcomponents of the uncontrolled application.
  • a feature or subfeature of an uncontrolled application may be a function that allows a user to take a certain action via the uncontrolled application.
  • features may include status update, wall post, messaging, chat, photo upload, commenting, and so on.
  • Non-limiting examples of subfeatures may include functions involved when using a feature. For example, a “like” button associated with the status update feature may be considered as a subfeature. Moreover, certain features/subfeatures may be common to two or more social networking sites. Status update may be one example feature that is common to many social networking sites.
  • middleware 310 resides and operates outside of network 140 .
  • middleware 310 may reside within network 140 .
  • FIG. 7 depicts a diagrammatic representation of another system architecture in which the internal communication of an uncontrolled system is intercepted by an embodiment of middleware 310 disclosed herein.
  • middleware 310 may be implemented as part of proxy 150 .
  • middleware 310 may be implemented as a service to proxy 150 .
  • middleware 310 may have prior knowledge of what uncontrolled systems may be accessed by users in network 140 .
  • middleware 310 may have access to a list of universal resource locator (URL) addresses that are associated with uncontrolled systems and that are subject to interception, quarantine, and/or moderation.
  • An example of such an URL may be: ⁇ http://www.twitter.com/status/update>.
  • middleware 310 may have prior knowledge of what type of content in a user request referencing one of the designated URL would be subject to interception. For example, middleware 310 may inspect or parse the request and determine that the request is of the status update type and, as such, is subject to interception.
  • middleware 310 may inspect or parse the request and determine that the request is subject to quarantine and operate to isolate the request without putting the request through any moderation process.
  • middleware 310 may inspect or parse the request and determine how the request should be automatically moderated based on a variety of factors, including, but are not limited to, company policies, business rules, feature types, keywords, patterns, user privilege, user role, etc.
  • An example of a pattern of interest may be a 16-digit number representing a credit card number that the user has provided in the request to the uncontrolled system.
  • middleware 310 may operate to intercept such a request and block the user's submission of the credit card number.
  • Another example of a pattern of interest may be a social security number.
  • the feature types that would be useful in automated moderation may include, but are not limited to, the following:
  • each feature type there may be subtypes (subfeatures).
  • the subtypes of broadcasts may include wall posts, tweets, status updates, etc.
  • the subtypes of actions may include adding a friend, making a recommendation, searching a friend, a word, a page, an event, and so on.
  • the subtypes of profile may include name, location, hobbies, links, etc.
  • the subtypes of directed messages may include private messages, group mail, web based mail, etc.
  • Each source or social networking site would have a distinct set of features or application components (including subfeatures or subcomponents), one or more of which may be of interest to Company A for the purpose of controlling accesses thereto by users of network 140 .
  • the definitions or specifications of source-specific features and subfeatures may be maintained in a centralized location such as a library or a database that is accessible by middleware 310 .
  • a semi-automated moderation process may comprise conducting an automatic coarse analysis of an intercepted request and forwarding the request for a more detailed manual review or evaluation.
  • middleware 310 may implement a completely automated process (i.e., intercept and moderate every request designating an uncontrolled system), a mostly manual moderation process, and something in between. For example, in some embodiments, middleware 310 may randomly intercept 20% of the requests in network 140 designating uncontrolled systems 320 .
  • middleware 310 may comprise filters.
  • a filter comprises a piece of code that is designed to recognize a particular portion of an application-level dynamic protocol.
  • Hypertext Transfer protocol http
  • Dynamic protocols are known to those skilled in the art and techniques for parsing network traffic in such protocols are also known to those skilled in the art.
  • middleware 310 may comprise various filters for parsing and access control.
  • filters for parsing and access control are described below.
  • a filter for parsing an example HTML message from a social networking site known as Facebook.
  • HTMLDoc doc HTMLDoc.parse(payload);
  • HTMLElement element doc.findByClass(“message”);
  • Middleware 310 may further comprise various filters for content control and for understanding how, when, and what application external to network 140 is changing, and/or what type of change is involved. It could be a functional change, a layout change, a message format change, etc. For example, some embodiments may implement one or more of the following non-limiting types of filters:
  • middleware filters disclosed herein are distinct from filters used by conventional web scanning systems. While web scanning systems may be able to monitor network traffic and detect certain words or patterns and block a request to a social networking site, they have no method to block the request elegantly, without breaking the user experience. One reason is that when a web filter blocks an http request, it generally does not send a response back to the application that made the request. Consequently, the application either continues to run indefinitely or simply times out, thereby breaking the user experience. This kind of web filters is generally applied to all the network traffic under monitoring, without regard to the destination. Moreover, conventional web scanning systems have no means of resubmitting the request if it is approved by a moderator.
  • FIG. 8 depicts a diagrammatic representation of a prior art architecture in which internal communication 340 of uncontrolled system 320 in network 840 is not intercepted but is moderated via internal moderator 820 . As FIG. 8 illustrates, this approach does not provide network 140 with the ability to moderate internal communications 340 and network 140 remains unable to control the content, including possibly confidential information, submitted by user 130 to uncontrolled system 320 .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Environmental & Geological Engineering (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Embodiments disclosed herein may intercept, quarantine, and moderate communications internal to an uncontrolled system. An example of an uncontrolled system may be a web application associated with a social networking site. In accessing the social networking site, a user may type in a message. An instance of the uncontrolled system running on the user's device may prepare a request containing the message. Some embodiment disclosed herein may determine that the message is subject to moderation, intercept the request, and place the message in a queue. This determination may be based on the destination of the request as well the type of the message. Some embodiments may reconstruct the original request for resubmission. If the session is expired, some embodiments may log in for the user and resubmit the reconstructed request. Some embodiments may simply wait for the next time the user logs in to resubmit the reconstructed request.

Description

CROSS-REFERENCE TO RELATED APPLICATION
This application is a continuation of, and claims a benefit of priority under 35 U.S.C. 120 of the filing date of U.S. patent application Ser. No. 12/785,276, filed May 21, 2010, now U.S. Pat. No. 8,601,114, entitled “METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT FOR INTERCEPTION, QUARANTINE AND MODERATION OF INTERNAL COMMUNICATIONS OF UNCONTROLLED SYSTEMS,” which is fully incorporated by reference herein.
TECHNICAL FIELD
This disclosure relates generally to web applications and more particularly to social networking applications. Even more particularly, this disclosure relates to a system, method, and computer program product comprising instructions translatable by a computer to intercept, quarantine, and moderate communications internal to systems that are beyond the control of computing environments where embodiments disclosed herein may reside.
BACKGROUND
Advances in communications technology often change how people communicate and share information. More recently, social networking sites are providing new ways for users to interact and keep others abreast of their personal and business dealings. The growth of social networking sites is staggering. New sites are emerging daily and new users are joining in droves. Today, social networking sites are being used regularly by millions of people around the globe, and it seems that social networking via websites will continue to be a part of everyday life at least in the United States.
The main types of social networking services provided by social networking sites are those which contain directories or categories, a means to connect with friends, and a means to recommend other individuals. For example, a social networking site may allow a user to identify an individual as a friend, a former classmate, or an uncle. The social networking site may recommend to the user another individual as a potential friend and also provide a personalized web page for the user to interact with those that the user has identified as “friends” via the social networking site.
Some social networking sites provide functions in the form of web applications for members to create user profiles, send messages to other members who are their “friends,” and personalize web pages available to friends and/or the general public. Through these web applications, social networking sites can connect people at low cost and very high efficiency. Some entrepreneurs and businesses looking to expand their contact base have recognized these benefits and are utilizing some social networking sites as a customer relationship management tool for selling their products and services.
For businesses and entities alike looking to embrace social networking sites as an additional method to exchange information between employees, clients, vendors, etc., the integration of social networking sites into their internal computing environments necessarily raises several critical concerns. What activities will people be allowed to be engaged in? What information may be disclosed and to what extent? Who is the information being disclosed to? Is malicious or otherwise damaging material being accessed or allowed onto the business's computers? How can a business manage the activities of particular users or groups?
Currently, there are no viable solutions to these difficult questions as businesses do not have control over web applications and associated data provided by independent entities, including social networking sites own and operated by such independent entities. Some businesses have the means to block traffic to and from social networking sites. Some businesses can only hope that their employees are only using these social networking sites in the best interest of the company. There is no guarantee that the employees may police their own access to and participation at social networking sites and there is always the concern of an employee knowingly or unknowingly posting confidential information on a social networking site. Because of these risks, many businesses simply choose to deny their employees access to uncontrolled web applications and forgo the efficiencies and cooperative gains that may come from embracing social networking sites.
SUMMARY
Traditionally, to the extent that a business or entity allows users within its computing environment access to the Internet, it has no ways of controlling, monitoring, and/or archiving communications between its users and web applications that are not provided by the business or entity. This type of web applications is referred to herein as uncontrolled web applications as they are not controlled by the business or entity that operates the computing environment from where user requests for access are generated. Uncontrolled web applications or software systems are collectively referred to herein as uncontrolled systems. Uncontrolled systems may come in various forms. One example of an uncontrolled system may be an application running on a social networking site such as Facebook.
While web scanning systems may be able to monitor network traffic and detect certain words or patterns and block a request to a social networking site, they have no method to block the request elegantly, without breaking the user experience. Moreover, conventional web scanning systems have no means of resubmitting the request if it is approved by a moderator.
Embodiments disclosed herein provide a system, method, and computer program programming comprising one or more non-transitory computer readable storage media storing computer instructions for intercepting, quarantine, and moderating internal communications of uncontrolled systems. In some embodiments, the functionality disclosed herein can be implemented as a middleware or proxy within or outside an enterprise computing environment, a private network, or the like.
In some embodiments, a method for intercepting, quarantine, and moderating internal communications of an uncontrolled system may comprise loading an instance of the uncontrolled system on a device associated with a user in a computing environment. The uncontrolled system may reside at a server computer external to and independent and separate from the computing environment. During the course of accessing the uncontrolled system, the user may type in a message as usual. An instance of the uncontrolled system running on the user's device may prepare a request containing the message. Some embodiments disclosed herein may determine that the message is subject to moderation, intercept the request, and place the message in a moderation queue. This determination may be based on the destination of the request as well the type of the message.
In some embodiments, a computer may perform the interception and put the original request in a moderation queue. In some embodiments, the moderation queue may reside within or outside of the computing environment. In some embodiments, a proxy or middleware server computer may perform all the functions disclosed herein, including interception, quarantine, moderation, resubmission, and so on.
In some embodiments, moderation may comprise automated moderation, manual moderation, or a combination thereof. Through moderation, intercepted requests may be blocked or allowed to be resubmitted. When an intercepted request is approved for resubmission, some embodiments may reconstruct the original request. If a session corresponding to the original request has since expired, some embodiments may log in for the user and resubmit the reconstructed request. Some embodiments may simply wait for the next time the user logs in to resubmit the reconstructed request. Some embodiments may comprise a plurality of application programming interfaces (APIs), each of which is specific to an uncontrolled system, and may communicate the reconstructed request with the uncontrolled system via a corresponding API.
Because embodiments disclosed herein have the ability to intercept, quarantine, and moderate communications internal to uncontrolled systems, it may not be necessary for an entity operating a private network to block its users from accessing such uncontrolled systems entirely. In this way, it is possible for entities and enterprises alike to gain benefits that may come from embracing social networking sites without risking the downsides of allowing their users access to uncontrolled web applications.
These, and other, aspects of the disclosure will be better appreciated and understood when considered in conjunction with the following description and the accompanying drawings. It should be understood, however, that the following description, while indicating various embodiments of the disclosure and numerous specific details thereof, is given by way of illustration and not of limitation. Many substitutions, modifications, additions and/or rearrangements may be made within the scope of the disclosure without departing from the spirit thereof, and the disclosure includes all such substitutions, modifications, additions and/or rearrangements.
DESCRIPTION OF THE DRAWINGS
The drawings accompanying and forming part of this specification are included to depict certain aspects of the disclosure. It should be noted that the features illustrated in the drawings are not necessarily drawn to scale. A more complete understanding of the disclosure and the advantages thereof may be acquired by referring to the following description, taken in conjunction with the accompanying drawings in which like reference numbers indicate like features and wherein:
FIG. 1 depicts a simplified diagrammatic representation of a prior art architecture in which users in a private network may access social networking sites via the Internet;
FIG. 2 depicts a diagrammatic representation of an exemplary computer system comprising at least one computer readable storage medium storing computer instructions implementing an embodiment disclosed herein;
FIG. 3 depicts a simplified diagrammatic representation of a prior art architecture in which a piece of code from an uncontrolled application or software system such as one that is associated with a social networking site may run on a user and conduct internal communications with the uncontrolled system;
FIG. 4 depicts a simplified diagrammatic representation of a system architecture in which the internal communication of an uncontrolled system is intercepted by an embodiment disclosed herein;
FIG. 5 depicts a flow diagram illustrating an example of one embodiment of a method for intercepting, quarantine, and moderating internal communications of an uncontrolled system;
FIG. 6 depicts a diagrammatic representation of a system architecture in which the internal communication of an uncontrolled system is intercepted by an embodiment disclosed herein;
FIG. 7 depicts a diagrammatic representation of another system architecture in which the internal communication of an uncontrolled system is intercepted by an embodiment disclosed herein; and
FIG. 8 depicts a diagrammatic representation of a prior art architecture in which the internal communication of an uncontrolled system is not intercepted but is moderated internally.
DETAILED DESCRIPTION
The disclosure and various features and advantageous details thereof are explained more fully with reference to the exemplary, and therefore non-limiting, embodiments illustrated in the accompanying drawings and detailed in the following description. Descriptions of known programming techniques, computer software, hardware, operating platforms and protocols may be omitted so as not to unnecessarily obscure the disclosure in detail. It should be understood, however, that the detailed description and the specific examples, while indicating the preferred embodiments, are given by way of illustration only and not by way of limitation. Various substitutions, modifications, additions and/or rearrangements within the spirit and/or scope of the underlying inventive concept will become apparent to those skilled in the art from this disclosure.
Software implementing embodiments disclosed herein may be implemented in suitable computer-executable instructions that may reside on one or more computer-readable storage media. Within this disclosure, the term “computer-readable storage media” encompasses all types of data storage media that can be read by a processor. Examples of computer-readable storage media can include random access memories, read-only memories, hard drives, data cartridges, magnetic tapes, floppy diskettes, flash memory drives, optical data storage devices, compact-disc read-only memories, and other appropriate computer memories and data storage devices.
As used herein, the terms “comprises,” “comprising,” “includes,” “including,” “has,” “having,” or any other variation thereof, are intended to cover a non-exclusive inclusion. For example, a process, product, article, or apparatus that comprises a list of elements is not necessarily limited only those elements but may include other elements not expressly listed or inherent to such process, product, article, or apparatus. Further, unless expressly stated to the contrary, “or” refers to an inclusive or and not to an exclusive or. For example, a condition A or B is satisfied by any one of the following: A is true (or present) and B is false (or not present), A is false (or not present) and B is true (or present), and both A and B are true (or present).
Additionally, any examples or illustrations given herein are not to be regarded in any way as restrictions on, limits to, or express definitions of, any term or terms with which they are utilized. Instead these examples or illustrations are to be regarded as being described with respect to one particular embodiment and as illustrative only. Those of ordinary skill in the art will appreciate that any term or terms with which these examples or illustrations are utilized encompass other embodiments as well as implementations and adaptations thereof which may or may not be given therewith or elsewhere in the specification and all such embodiments are intended to be included within the scope of that term or terms. Language designating such non-limiting examples and illustrations includes, but is not limited to: “for example,” “for instance,” “e.g.,” “in one embodiment,” and the like.
Those skilled in the arts will recognize that the disclosed embodiments have relevance to a wide variety of areas in addition to the specific examples described below. For example, although the examples below are described in the context of employers and employees, some embodiments disclosed herein can be adapted or otherwise implemented to work in other types of relationships, circumstances, and places such as public libraries, parent-child, school-student, or any other place or relationship where it is desirable to monitor and protect network traffic to and from social networking sites.
FIG. 1 depicts a simplified diagrammatic example of how traditionally an entity or organization may monitor and protect network traffic to and from social networking sites. In this example, Company A may own and operate company network 140. Examples of company network 140 may include a local area network (LAN), an intranet—a private computer network within the organization, etc. User 130 of company network 140 may access Internet 110 via proxy 150. Social networking sites 120 may be generally accessible by users connected to Internet 110. As an example, social networks 120 may include, but are not limited to, Facebook®, LinkedIn®, Twitter®, MySpace®, Friendster®, Multiply®, Orkut®, Cyworld®, Hi5®, and others. All trademarks, service marks, and logos used herein are properties of their respective companies.
In some cases, proxy 150 of company network 140 may monitor and block all network traffic to and from one or more social networking sites 120 by way of a firewall implemented on proxy 150. As known to those skilled in the art, a firewall may be implemented as a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. A firewall may be implemented as a device or a set of devices configured to permit, deny, encrypt, decrypt, or proxy all incoming and outgoing network traffic between different domains based upon a set of rules and other criteria. Firewalls may be implemented in hardware, software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. Generally, all messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
Proxy 150 represents a server computer that acts as an intermediary for requests from user 130 seeking resources from other servers, including those that reside outside of network 140. Those skilled in the art can appreciate that user 130 is a representation of a typical user in company network 140 and may include software and hardware utilized by the user to access company network 140 and Internet 110.
FIG. 2 depicts an exemplary system within a computing environment where embodiments disclosed herein may be implemented. Components 202 of computing system 200 may include, but are not limited to, processing unit 204, system memory 206, and system bus 208. System bus 208 may couple various system components including system memory 206 to processing unit 204. System bus 208 may comprise any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures.
Computing system 200 may include a variety of computer readable storage media. Computer readable storage media can be any available storage media that can be accessed by computing system 200. By way of example, and not of limitation, computer readable storage media may comprise volatile and nonvolatile storage media and removable and non-removable storage media. Computer readable storage media storing computer instructions implementing embodiments disclosed herein may be manufactured by known methods and materials and may rely on known programming languages and techniques for storage of information thereon. Examples of computer readable storage media may include, but are not limited to, random access memory (RAM), read only memory (ROM), EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by computing system 200.
In the example shown in FIG. 2, system memory 206 includes ROM 210 and RAM 212. ROM 210 may store basic input/output system 214 (BIOS), containing the basic routines that help to transfer information between elements within computing system 200, such as those used during start-up. RAM 212 may store data and/or program modules that are immediately accessible to and/or presently being operated on by processing unit 204. By way of example, and not of limitation, FIG. 2 shows RAM 212 storing operating system 216, application programs 218, other program modules 220, and program data 222.
Computing system 200 may also include other removable/non-removable, volatile/nonvolatile computer readable storage media that can be employed to store computer instructions implementing some embodiments disclosed herein. By way of example only, computing system 200 may include hard disk drive 224, a magnetic disk drive 226, and/or optical disk drive 230. Hard drive (HD) 224 may read from and write to non-removable, nonvolatile magnetic media. Disk drive 226 may read from and write to removable, nonvolatile magnetic disk 228. Optical disk drive 230 may read from and write to a removable, nonvolatile optical disk 232 such as a CD ROM or other optical medium. Other removable/non-removable, volatile/nonvolatile computer readable storage media are also possible. As illustrated in FIG. 2, hard drive 224 may be connected to system bus 208 via a non-removable memory interface, such as interface 234, and magnetic disk drive 226 and optical disk drive 230 may be connected to system bus 208 via a removable memory interface, such as interface 238.
The drives and their associated computer readable storage media, discussed above, may provide storage of computer readable instructions, data structures, program modules and other data for computing system 200. For example, hard disk drive 224 may store operating system 268, application programs 270, other program modules 272 and program data 274. Note that these components can either be the same as or different from operating system 216, application programs 218, other program modules 220, and program data 222.
A user may enter commands and information into computing system 200 via input devices such as tablet or electronic digitizer 240, microphone 242, keyboard 244, and pointing device 246. Pointing device 246 may comprise a mouse, a trackball, and/or a touch pad. These and other input devices may be connected to processing unit 204 via user input interface 248. User input interface 248 may be coupled to system bus 208 or via other interface and bus structures, such as a parallel port, a game port, or a universal serial bus (USB).
Monitor or other type of display device 250 may be connected to system bus 208 via an interface, such as a video interface 252. Monitor 250 may also be integrated with a touch-screen panel or the like. Note that the monitor and/or touch screen panel can be physically coupled to a housing in which computing system 200 is incorporated, such as in a tablet-type personal computer. Computing system 200 may comprise additional peripheral output devices such as speakers 256 and printer 254, which may be connected via an output peripheral interface 258 or the like.
Computing system 200 may operate in a networked environment and may have logical connections to one or more remote computers, such as remote computing system 260. Remote computing system 260 may be a personal computer, a server, a router, a network PC, a peer device or other common network node. Although only a memory storage device 262 is shown in FIG. 2, remote computing system 260 may include many or all of the components and features described above with reference to computing system 200.
Logical connections between computing system 200 and remote computing system 260 may include local area network (LAN) 264, connecting through network interface 276, and wide area network (WAN) 266, connecting via modem 278. Additional networks may also be included.
Embodiments disclosed herein can be implemented to run on various platforms operating under system software such as IBM OS/2®, Linux®, UNIX®, Microsoft Windows®, Apple Mac OSX® and others in development or commercially available. The functionality disclosed herein may be embodied directly in hardware, in a software module executed by a processor or in any combination of the two. Furthermore, software operations may be executed, in part or wholly, by one or more servers or a client's system, via hardware, software module or any combination of the two. A software module (program or executable) may reside on one or more computer readable storage media described above. In FIG. 2, an exemplary storage medium is coupled to the processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may also reside in an application specific integrated circuit (ASIC). The bus may be an optical or conventional bus operating pursuant to various protocols that are known to those skilled in the art.
In an illustrative embodiment, computer instructions implementing some embodiments disclosed herein may comprise lines of compiled C++, Java, or other language code. Other architectures may be used. In the hardware configuration above, various software components may reside on any single computer or on any combination of separate computers. In some embodiments, some or all of the software components may reside on the same computer. In some embodiments, the functions of any of the systems and methods may be performed by a single computer. In some embodiments, different computers than are shown in FIG. 2 may perform those functions. Additionally, a computer program or its software components with such code may be embodied in more than one computer readable medium in more than one computer.
FIG. 3 depicts a simplified diagrammatic representation of a prior art architecture in which a piece of code such as JavaScript 330 from uncontrolled system 320 may run on a device associated with user 130 and conduct internal communications 340 with uncontrolled system 320. Communications 340 are considered internal to uncontrolled system 320 because code 330, acting as the user agent for uncontrolled system 320, is typically not controllable by administrator(s) of the computing environment from where user 130 accesses uncontrolled system 320.
More specifically, as described below in more detail, code 330 of uncontrolled system 320 is responsible for communications 340. This is in contrast to the generic network traffic described above with reference to FIG. 1 where a browser application running on a device associated with user 130 usually acts as the user agent and is generally responsible for preparing a request and submitting the request to a network site external to computing environment 140.
FIG. 4 depicts a simplified diagrammatic representation of system architecture 400 in which internal communications 340 between code 330 and uncontrolled system 320 may be intercepted by middleware 310. In some embodiments, internal communications 340 may comprise an application layer protocol request. In some embodiments, such a request may be a Hypertext Transfer Protocol (http) request. As a specific example, middleware 310 may intercept internal communications 340 and put it through a moderation flow. In some embodiments, such a moderation flow may be fully or semi-automated. The moderation may block communications 340 or may allow communications 340 to be resubmitted to uncontrolled system 320 via reconstructed request 440.
FIG. 5 depicts a flow diagram illustrating an example of one embodiment of a method for intercepting, quarantine, and moderating internal communications of an uncontrolled system. In some embodiments, method 500 may comprise loading a piece of code or an instance of an uncontrolled application on a device associated with a user in a computing environment (step 501) and monitoring traffic between the code running on the user device and the uncontrolled application running on an external site such as a social networking site (step 503). As an example, the social networking site may be operated by Twitter and the code may comprise Twitter JavaScript.
Referring also to FIG. 6, when user 130 types in a message, code 330 may formulate a request containing the message. Following the above example, when user 130 types in a tweet, the Twitter JavaScript may formulate an http request containing the tweet for posting to the user's twitter account maintained by Twitter. Proxy server 150 residing in computing environment 140 or middleware 310 of system 600 may determine whether the request from user 130 is destined for uncontrolled system 320 (step 511). If the request from user 130 is not destined for uncontrolled system 320, the request is processed normally and flow 500 returns to step 503 to continue to monitor internal communications 340. If the request from user 130 is destined for uncontrolled system 320, proxy server 150 or middleware 310 may determine whether the request is subject to interception (step 513) based on the destination of the request as well as the type of message in the request. If the request from user 130 is not subject to interception, proxy server 150 or middleware 310 may forward the request to its destination (step 521). If the request from user 130 is subject to interception, proxy server 150 or middleware 310 may put the request through a moderation flow (step 505). In some embodiments, this involves placing a job corresponding to the request in a moderation queue. In some embodiments, moderation queue 650 may reside within computing environment 140. In some embodiments, moderation queue 610 may reside outside of computing environment 140.
Those skilled in the art will appreciate that it may not be necessary to perform all the steps of method 500 and that some steps may be skipped. Further, in some embodiments, additional steps may be included in method 500. Other modifications and variations may be possible without departing from the scopes and the spirits of this disclosure.
In some embodiments, method 500 may further comprise performing moderation on one or more jobs in the moderation queue (step 507). In some embodiments, middleware 310 may comprise a plurality of software tools 620, including moderation 660. In some embodiments, moderation 660 may be automated or semi-automated. In some embodiments, method 500 may further comprise determining whether to block a request or allow it to be resubmitted to uncontrolled system 320 (step 514). In some embodiments, if the request is not approved via moderation 660, the request is blocked (step 523). In some embodiments, if the request is approved, method 500 may further comprise performing resubmission of the approved request (step 509). In some embodiments, this may involve reconstructing the original, intercepted request.
If a session corresponding to the original request has since expired, some embodiments may log in for the user and resubmit the reconstructed request. Some embodiments may simply wait for the next time the user logs in to resubmit the reconstructed request. Some embodiments may comprise a plurality of application programming interfaces (APIs), each of which is specific to an uncontrolled system, and may communicate the reconstructed request with the uncontrolled system via a corresponding API.
FIG. 6 depicts a diagrammatic representation of a system architecture in which the internal communication of an uncontrolled system is intercepted by an embodiment disclosed herein. FIG. 6 illustrates how an entity or organization implementing an embodiment disclosed herein may monitor and protect network traffic to and from social networking sites. In this example, Company B may own and operate an example uncontrolled system referred to hereinafter as social networking site 320 independent of Company A which owns and operates enterprise computing environment 140, also referred to herein as company network 140, private network 140, internal network 140 or simply network 140. Company A may represent an entity. Examples of such an entity may include, but are not limited to, an enterprise, a business, a company, a school, a hospital, a library, a government agency, an office, a home, and so on. End user 130 may represent any individual in a public or private office, government, home, or school setting and may include software and hardware necessary for accessing network 140 and Internet 110. End user 130 may utilize a computing device to bi-directionally connect to Internet 110 where social networking site 320 resides. Communications media that may facilitate such bi-directional connections may include an intranet, a virtual private network (“VPN”), and/or a wireless network, etc.
Company B may comprise hardware, software, infrastructure, and people necessary to operate and maintain social networking site 320. Social networking site 320 may be implemented in a manner known to those skilled in the art. As a specific example, a user may log in to social networking site 320 via a browser application or via a mobile application running on the user's wired or wireless computing device. Examples of a wireless computing device may include, but are not limited to, a laptop computer, a personal digital assistant (PDA), a mobile phone, an Internet enabled mobile device, and so on.
In the example of FIG. 6, proxy 150 resides within network 140 and is bi-directionally coupled to end user 130 via a wired or wireless internal network connection. Proxy 150 may be communicatively coupled to social network 320 over Internet 110. In some embodiments, proxy 150 may function as a gateway or intermediary between end user 130 and social networking site 320. More specifically, proxy 150 may be responsible for receiving all incoming requests from and sending corresponding responses to end user 130. As illustrated in FIG. 5, in some embodiments of flow 500, proxy 150 may operate to receive a user request from user 130 (step 503), determine whether that request contains a destination pertaining to social networking site 320 (step 511), and either pass the request from user 130 that is destined to social networking site 320 to middleware 310 for processing (step 513) or pass the request to the destination (step 521) if it is not destined to social networking site 320.
As described above, in some embodiments, as users in network 140 post messages to social networking site 320 or any of the sites designated as subject to interception, middleware 310 may operate to stop these messages and send them through a moderation process (step 507). If a message is to be blocked (step 523), middleware 310 may simulate a response to the user device from where the message is originated. The simulated response may resemble a response from social networking site 320, with an indication that the user's message has been blocked. An example of such a response may be a web page that is structured and assembled by middleware 310 on-the-fly, with at least one feature-level modification to inform the user that the message has been blocked. In some embodiments, other than certain feature(s) being disabled or unavailable to user 130, the simulated response generated by middleware 310 may be substantially similar to a corresponding response generated by social networking site 320. Readers are directed to co-pending U.S. patent application Ser. No. 12/785,294, filed May 21, 2010, entitled “METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT FOR STRUCTURING UNSTRUCTURED DATA ORIGINATING FROM UNCONTROLLED WEB APPLICATION,” for examples of structuring unstructured data originating from an uncontrolled web application and co-pending U.S. patent application Ser. No. 12/785,278, filed May 21, 2010, entitled “METHOD, SYSTEM AND COMPUTER PROGRAM PRODUCT FOR ENFORCING ACCESS CONTROLS TO FEATURES AND SUBFEATURES ON UNCONTROLLED WEB APPLICATION,” for examples of feature-level modifications to data originating from an uncontrolled web application. Within this disclosure, features/subfeatures of an uncontrolled application refer to software components/subcomponents of the uncontrolled application. In some embodiments, a feature or subfeature of an uncontrolled application may be a function that allows a user to take a certain action via the uncontrolled application. Non-limiting examples of features may include status update, wall post, messaging, chat, photo upload, commenting, and so on. Non-limiting examples of subfeatures may include functions involved when using a feature. For example, a “like” button associated with the status update feature may be considered as a subfeature. Moreover, certain features/subfeatures may be common to two or more social networking sites. Status update may be one example feature that is common to many social networking sites.
In the example of FIG. 6, middleware 310 resides and operates outside of network 140. In some embodiments, middleware 310 may reside within network 140. FIG. 7 depicts a diagrammatic representation of another system architecture in which the internal communication of an uncontrolled system is intercepted by an embodiment of middleware 310 disclosed herein. In some embodiments of system 700, middleware 310 may be implemented as part of proxy 150. In some embodiments of system 700, middleware 310 may be implemented as a service to proxy 150.
Unlike conventional network traffic interception, the interception disclosed here is source/destination specific as well as content type specific. In some embodiments, middleware 310 may have prior knowledge of what uncontrolled systems may be accessed by users in network 140. For example, middleware 310 may have access to a list of universal resource locator (URL) addresses that are associated with uncontrolled systems and that are subject to interception, quarantine, and/or moderation. An example of such an URL may be: <http://www.twitter.com/status/update>. In some embodiments, middleware 310 may have prior knowledge of what type of content in a user request referencing one of the designated URL would be subject to interception. For example, middleware 310 may inspect or parse the request and determine that the request is of the status update type and, as such, is subject to interception.
In some embodiments, an automated moderation process may comprise determining a type of the request and processing a payload of the request accordingly. For example, if it is determined that the request is of the status update type, the automated moderation process may determine that the payload of the request should be blocked. An example of such a payload may be “status=‘hello world’”.
As another example, middleware 310 may inspect or parse the request and determine that the request is subject to quarantine and operate to isolate the request without putting the request through any moderation process.
In some embodiments, middleware 310 may inspect or parse the request and determine how the request should be automatically moderated based on a variety of factors, including, but are not limited to, company policies, business rules, feature types, keywords, patterns, user privilege, user role, etc.
An example of a pattern of interest may be a 16-digit number representing a credit card number that the user has provided in the request to the uncontrolled system. In one embodiment, middleware 310 may operate to intercept such a request and block the user's submission of the credit card number. Another example of a pattern of interest may be a social security number.
In some embodiments, the feature types that would be useful in automated moderation may include, but are not limited to, the following:
    • broadcasts;
    • actions;
    • profile; and
    • directed messages.
Within each feature type, there may be subtypes (subfeatures). For example, the subtypes of broadcasts may include wall posts, tweets, status updates, etc. The subtypes of actions may include adding a friend, making a recommendation, searching a friend, a word, a page, an event, and so on. The subtypes of profile may include name, location, hobbies, links, etc. The subtypes of directed messages may include private messages, group mail, web based mail, etc. Each source or social networking site would have a distinct set of features or application components (including subfeatures or subcomponents), one or more of which may be of interest to Company A for the purpose of controlling accesses thereto by users of network 140. In some embodiments, the definitions or specifications of source-specific features and subfeatures may be maintained in a centralized location such as a library or a database that is accessible by middleware 310.
In some embodiments, a semi-automated moderation process may comprise conducting an automatic coarse analysis of an intercepted request and forwarding the request for a more detailed manual review or evaluation. In some embodiments, middleware 310 may implement a completely automated process (i.e., intercept and moderate every request designating an uncontrolled system), a mostly manual moderation process, and something in between. For example, in some embodiments, middleware 310 may randomly intercept 20% of the requests in network 140 designating uncontrolled systems 320.
In some embodiments, middleware 310 may comprise filters. Within this disclosure, a filter comprises a piece of code that is designed to recognize a particular portion of an application-level dynamic protocol. Hypertext Transfer protocol (http) is an example of an application-level protocol. Unlike defined or otherwise standardized protocols such as those used in e-mail communications and instant messaging, dynamic protocols used by social networking sites may change over time, be undefined, and/or vary from site to site. Dynamic protocols are known to those skilled in the art and techniques for parsing network traffic in such protocols are also known to those skilled in the art.
In some embodiments, middleware 310 may comprise various filters for parsing and access control. Below is an example of a filter for parsing an example HTML message from a social networking site known as Facebook.
Filter 1—Parse HTML Message
void parse(String payload) {
HTMLDoc doc=HTMLDoc.parse(payload);
HTMLElement element=doc.findByClass(“message”);
String message=element.text( );
return message;
}
Middleware 310 may further comprise various filters for content control and for understanding how, when, and what application external to network 140 is changing, and/or what type of change is involved. It could be a functional change, a layout change, a message format change, etc. For example, some embodiments may implement one or more of the following non-limiting types of filters:
  • 1) Access control filters. These filters manipulate the code of a web application to enable and disable access to certain features depending on who the accessing user is.
  • 2) Data archiving filters. These filters record information as it is transmitted across the wire. This may be information that is posted to social networks, or retrieved from social networks.
  • 3) Data security filters. These filters monitor information as it is published to social networks. If data is deemed private or sensitive (by a Data Leakage Protection system or otherwise), the user will be sent a notification that they are not allowed to post that information.
  • 4) Secure messaging filters. These filters trap information before it is able to post to a social network and store it internally. The message is replaced or otherwise substituted with a placeholder that is sent to the social network. If a user is sent the message with the placeholder, middleware 310 will remove the placeholder and display the original message. In some embodiments, middleware 310 is implemented in an appliance.
  • 5) Notification Filters. These filters notify the user of certain information. For example, a company watermark may be placed onto a social network, informing a user of the company usage policy.
Below are non-limiting examples of various types of filters written for the example social networking site Facebook.
1) Access control filter, to disable Facebook chat:
 void process(String page, User user) {
HTMLDoc doc = HTMLDoc.parse( page );
if (user.canAccessFacebookChat( ) == false) {
doc.findById( “chat” ).delete( );
}
 }
2) Data archiving filter, to record Facebook chat:
void process(String page, User user) {
HTTPPost post = HTTPPost.parse( page );
String fromUsername = post.getParam( “fromUser” );
String toUsername = post.getParam( “toUser” );
String message = post.getParam( “message” );
DataStore.record( fromUser, toUser, message );
}
3) Data security filter, to block credit card numbers from
posting to Facebook walls:
void process(String page, User user) {
HTTPPost post = HTTPPost.parse( page );
String wallPost = post.getParam( “wall_post” );
if ( ContainsCreditCardNumber( wallPost ) == true ) {
ReturnErrorToUser( );
} else {
AllowMessageToPost( );
}
}
4) Secure messaging filter, to replace Facebook wall post
messages with a placeholder:
// When posting a facebook wall post
void process( String page, User user ) {
HTTPPost post = HTTPPost.parse( page );
String message = post.getParam( “wall_post” );
String placeholder = GetPlaceholder( message );
post.setParam( “wall_post” );
// update the page with the new placeholder instead of message
page = post.toString( );
}
// When viewing a wall message
void process( String page, User user ) {
String placeholder = GetPlaceholder( page );
String message = GetMessage( placeholder );
// replace the placeholder with the original message
page.replace( placeholder, message);
}
5) Notification Filters, add a watermark to Facebook
void process( String page, User user ) {
HTMLDoc doc = HTMLDoc.parse( page );
// Insert new HTML code for the watermark
doc.addElement ( GenerateFacebookWatermark( ) );
page = doc.toString( );
}
One skilled in the art will appreciate that other types of filters are also possible and that these filters would be source-specific and may vary from implementation to implementation.
Note that middleware filters disclosed herein are distinct from filters used by conventional web scanning systems. While web scanning systems may be able to monitor network traffic and detect certain words or patterns and block a request to a social networking site, they have no method to block the request elegantly, without breaking the user experience. One reason is that when a web filter blocks an http request, it generally does not send a response back to the application that made the request. Consequently, the application either continues to run indefinitely or simply times out, thereby breaking the user experience. This kind of web filters is generally applied to all the network traffic under monitoring, without regard to the destination. Moreover, conventional web scanning systems have no means of resubmitting the request if it is approved by a moderator.
On the other hand, some network sites may utilize internal filters to monitor incoming traffic and perform some kind of moderation before forwarding an incoming request to its internal destination. FIG. 8 depicts a diagrammatic representation of a prior art architecture in which internal communication 340 of uncontrolled system 320 in network 840 is not intercepted but is moderated via internal moderator 820. As FIG. 8 illustrates, this approach does not provide network 140 with the ability to moderate internal communications 340 and network 140 remains unable to control the content, including possibly confidential information, submitted by user 130 to uncontrolled system 320.
Although shown and described throughout this disclosure with specific reference to an enterprise, this disclosure is intended to encompass other networking and business environments including, but not limited to: small businesses, individual users, homes, public networks, etc. It should be understood that the description is by way of example only and is not to be construed in a limiting sense. It is to be further understood, therefore, that numerous changes in the details of the embodiments disclosed herein and additional embodiments will be apparent to, and may be made by, persons of ordinary skill in the art having reference to this description. For example, in addition to the above described embodiments, those skilled in the art will appreciate that this disclosure has application in a wide array of arts in addition to social networking and this disclosure is intended to include the same. Accordingly, the scope of the present disclosure should be determined by the following claims and their legal equivalents.

Claims (20)

What is claimed is:
1. A method for monitoring network traffic, comprising:
intercepting, by a computer having a processor and a memory, an internal communication between a first application running on a user device and a second application running on a server machine, the computer having no control over the first application and the second application, the first application comprising a piece of code from the server machine, the piece of code acting as an agent for the second application running on the server machine and is configured for the internal communication with the second application, the internal communication comprising a network message generated by the first application or the second application;
examining a source, a destination, and content referenced in the network message, the examining including parsing the network message using one or more filters specific to the source to determine one or more content types contained in the network message;
determining whether the source, the destination or the content referenced in the network message is subject to interception, quarantine, or moderation, the interception, quarantine or moderation being source-specific, destination-specific or content-specific;
determining, by the computer based at least on the one or more content types, whether the network message is to be blocked from reaching the destination, approved for reaching the destination, or quarantined;
the computer generating a simulated message for the destination if the network message is to be blocked from reaching the destination;
the computer reconstructing the network message if the network message is to be approved for reaching the destination; and
the computer isolating the network message without putting the network message through any moderation process if the network message is to be quarantined.
2. The method according to claim 1, wherein the second application is associated with a social networking site on the Internet.
3. The method according to claim 2, wherein the computer determines whether the network message is to be blocked from reaching the destination, approved for reaching the destination, or quarantined based on a plurality of factors, including a feature type of the social networking site existent in the network message.
4. The method according to claim 2, wherein the network message comprises application data from the social networking site for the first application to display a personalized web page on the user device, and wherein if a feature type of the personalized web page is to be blocked, the method further comprising, by the computer:
disabling at least one feature of the feature type in the application data from the social networking site;
assembling a web page resembling the personalized web page from the social networking site and with the at least one feature of the feature type disabled; and
forwarding the web page for display on the user device.
5. The method according to claim 1, wherein the computer determines whether the network message is to be blocked from reaching the destination, approved for reaching the destination, or quarantined based on a plurality of factors, including a pattern of numbers.
6. The method according to claim 1, further comprising placing the network message in a moderation flow if the network message is subject to moderation.
7. The method according to claim 6, wherein the moderation flow is fully automated or semi-automated.
8. A computer program product comprising at least one non-transitory computer readable medium storing instructions translatable by a computer to perform:
intercepting an internal communication between a first application running on a user device and a second application running on a server machine, the computer having no control over the first application and the second application, the first application comprising a piece of code from the server machine, the piece of code acting as an agent for the second application running on the server machine and that is configured for the internal communication with the second application, wherein the network message is generated by the first application or the second application;
examining a source, a destination, and content referenced in the network message, the examining including parsing the network message using one or more filters specific to the source to determine one or more content types contained in the network message;
determining whether the source, the destination or the content referenced in the network message is subject to interception, quarantine, or moderation, the interception, quarantine or moderation being source-specific, destination-specific or content-specific;
determining based at least on the one or more content types whether the network message is to be blocked from reaching the destination, approved for reaching the destination, or quarantined;
generating a simulated message for the destination if the network message is to be blocked from reaching the destination;
reconstructing the network message if the network message is to be approved for reaching the destination; and
isolating the network message without putting the network message through any moderation process if the network message is to be quarantined.
9. The computer program product of claim 8, wherein the second application is associated with a social networking site on the Internet.
10. The computer program product of claim 9, wherein the instructions are translatable by the computer to determine whether the network message is to be blocked from reaching the destination, approved for reaching the destination, or quarantined based on a plurality of factors, including a feature type of the social networking site existent in the network message.
11. The computer program product of claim 9, wherein the network message comprises application data from the social networking site for the first application to display a personalized web page on the user device, and wherein if a feature type of the personalized web page is to be blocked, the instructions are translatable by the computer to perform:
disabling at least one feature of the feature type in the application data from the social networking site;
assembling a web page resembling the personalized web page from the social networking site and with the at least one feature of the feature type disabled; and
forwarding the web page for display on the user device.
12. The computer program product of claim 8, wherein the instructions are translatable by the computer to determine whether the network message is to be blocked from reaching the destination, approved for reaching the destination, or quarantined based on a plurality of factors, including a pattern of numbers.
13. The computer program product of claim 8, wherein the instructions are translatable by the computer to perform:
placing the network message in a moderation flow if the network message is subject to moderation.
14. The computer program product of claim 13, wherein the moderation flow is fully automated or semi-automated.
15. A system for monitoring network traffic, comprising:
at least one processor; and
at least one non-transitory computer readable medium storing instructions translatable by the at least one processor to perform:
intercepting an internal communication between a first application running on a user device and a second application running on a server machine, the system having no control over the first application and the second application, the first application comprising a piece of code from the server machine, the piece of code acting as an agent for the second application running on the server machine and is configured for the internal communication with the second application, wherein the network message is generated by the first application or the second application;
examining a source, a destination, and content referenced in the network message, the examining including parsing the network message using one or more filters specific to the source to determine one or more content types contained in the network message;
determining whether the source, the destination or the content referenced in the network message is subject to interception, quarantine, or moderation, the interception, quarantine or moderation being source-specific, destination-specific or content-specific;
determining based at least on the one or more content types whether the network message is to be blocked from reaching the destination, approved for reaching the destination, or quarantined;
generating a simulated message for the destination if the network message is to be blocked from reaching the destination;
reconstructing the network message if the network message is to be approved for reaching the destination; and
isolating the network message without putting the network message through any moderation process if the network message is to be quarantined.
16. The system of claim 15, wherein the second application is associated with a social networking site on the Internet.
17. The system of claim 16, wherein the instructions are translatable by the at least one processor to determine whether the network message is to be blocked from reaching the destination, approved for reaching the destination, or quarantined based on a plurality of factors, including a feature type of the social networking site existent in the network message.
18. The system of claim 16, wherein the network message comprises application data from the social networking site for the first application to display a personalized web page on the user device, and wherein if a feature type of the personalized web page is to be blocked, the instructions are translatable by the at least one processor to perform:
disabling at least one feature of the feature type in the application data from the social networking site;
assembling a web page resembling the personalized web page from the social networking site and with the at least one feature of the feature type disabled; and
forwarding the web page for display on the user device.
19. The system of claim 15, wherein the instructions are translatable by the at least one processor to determine whether the network message is to be blocked from reaching the destination, approved for reaching the destination, or quarantined based on a plurality of factors, including a pattern of numbers.
20. The system of claim 15, wherein the instructions are translatable by the at least one processor to perform:
placing the network message in a moderation flow if the network message is subject to moderation, wherein the moderation flow is fully automated or semi-automated.
US14/070,151 2010-05-21 2013-11-01 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems Active US9130822B2 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US14/070,151 US9130822B2 (en) 2010-05-21 2013-11-01 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems
US14/823,786 US10230593B2 (en) 2010-05-21 2015-08-11 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems
US15/420,838 US10511496B2 (en) 2010-05-21 2017-01-31 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems
US15/420,854 US10404553B2 (en) 2010-05-21 2017-01-31 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US12/785,276 US8601114B1 (en) 2010-05-21 2010-05-21 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems
US14/070,151 US9130822B2 (en) 2010-05-21 2013-11-01 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems

Related Parent Applications (2)

Application Number Title Priority Date Filing Date
US12/785,278 Continuation US9071650B1 (en) 2008-09-17 2010-05-21 Method, system and computer program product for enforcing access controls to features and subfeatures on uncontrolled web application
US12/785,276 Continuation US8601114B1 (en) 2010-05-21 2010-05-21 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/823,786 Continuation US10230593B2 (en) 2010-05-21 2015-08-11 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems

Publications (2)

Publication Number Publication Date
US20140059153A1 US20140059153A1 (en) 2014-02-27
US9130822B2 true US9130822B2 (en) 2015-09-08

Family

ID=49640900

Family Applications (5)

Application Number Title Priority Date Filing Date
US12/785,276 Active 2031-04-11 US8601114B1 (en) 2010-05-21 2010-05-21 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems
US14/070,151 Active US9130822B2 (en) 2010-05-21 2013-11-01 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems
US14/823,786 Active 2032-06-11 US10230593B2 (en) 2010-05-21 2015-08-11 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems
US15/420,854 Active 2030-08-30 US10404553B2 (en) 2010-05-21 2017-01-31 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems
US15/420,838 Active 2031-02-27 US10511496B2 (en) 2010-05-21 2017-01-31 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US12/785,276 Active 2031-04-11 US8601114B1 (en) 2010-05-21 2010-05-21 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems

Family Applications After (3)

Application Number Title Priority Date Filing Date
US14/823,786 Active 2032-06-11 US10230593B2 (en) 2010-05-21 2015-08-11 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems
US15/420,854 Active 2030-08-30 US10404553B2 (en) 2010-05-21 2017-01-31 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems
US15/420,838 Active 2031-02-27 US10511496B2 (en) 2010-05-21 2017-01-31 Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems

Country Status (1)

Country Link
US (5) US8601114B1 (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9584530B1 (en) 2014-06-27 2017-02-28 Wickr Inc. In-band identity verification and man-in-the-middle defense
US9584316B1 (en) 2012-07-16 2017-02-28 Wickr Inc. Digital security bubble
US9584493B1 (en) 2015-12-18 2017-02-28 Wickr Inc. Decentralized authoritative messaging
US9590958B1 (en) 2016-04-14 2017-03-07 Wickr Inc. Secure file transfer
US9591479B1 (en) 2016-04-14 2017-03-07 Wickr Inc. Secure telecommunications
US9654288B1 (en) 2014-12-11 2017-05-16 Wickr Inc. Securing group communications
US9698976B1 (en) 2014-02-24 2017-07-04 Wickr Inc. Key management and dynamic perfect forward secrecy
US9830089B1 (en) 2013-06-25 2017-11-28 Wickr Inc. Digital data sanitization
US9866591B1 (en) 2013-06-25 2018-01-09 Wickr Inc. Enterprise messaging platform
US10129260B1 (en) 2013-06-25 2018-11-13 Wickr Inc. Mutual privacy management
US10230593B2 (en) 2010-05-21 2019-03-12 Proofpoint, Inc. Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems
US10291607B1 (en) 2016-02-02 2019-05-14 Wickr Inc. Providing real-time events to applications
US10567349B2 (en) 2013-06-25 2020-02-18 Wickr Inc. Secure time-to-live
US11330003B1 (en) 2017-11-14 2022-05-10 Amazon Technologies, Inc. Enterprise messaging platform
US11588848B2 (en) 2021-01-05 2023-02-21 Bank Of America Corporation System and method for suspending a computing device suspected of being infected by a malicious code using a kill switch button

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013098587A1 (en) * 2011-12-27 2013-07-04 Nokia Corporation Preventing unintentionally violating privacy when sharing and/or publishing content
US9608959B2 (en) 2015-03-23 2017-03-28 Quest Software Inc. Non RFC-compliant protocol classification based on real use
US10187446B2 (en) 2015-03-23 2019-01-22 Sonicwall Inc. Firewall multi-level security dynamic host-based sandbox generation for embedded URL links
US9485231B1 (en) 2015-05-26 2016-11-01 Dell Software Inc. Securing internet of things communications across multiple vendors
US9888011B2 (en) * 2015-07-31 2018-02-06 Sonicwall Inc. Social media login and interaction management
US10523793B2 (en) * 2016-07-11 2019-12-31 Facebook, Inc. Kernel multiplexing system of communications
CN110825985B (en) * 2018-08-06 2023-07-07 阿里巴巴(北京)软件服务有限公司 Data acquisition system, method, device, control equipment and proxy equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080178298A1 (en) 2001-02-14 2008-07-24 Endeavors Technology, Inc. Intelligent network streaming and execution system for conventionally coded applications
US7586871B2 (en) 2001-05-22 2009-09-08 Bytemobile Network Services Corporation Platform and method for providing data services in a communication network
US20090313318A1 (en) 2008-06-13 2009-12-17 Dye Thomas A System and method using interpretation filters for commercial data insertion into mobile computing devices
US20100106777A1 (en) 2007-01-31 2010-04-29 Nathaniel Cooper System and method for modifying web content via a content transform proxy service
US20110125697A1 (en) 2009-11-20 2011-05-26 Avaya Inc. Social media contact center dialog system
US20120023090A1 (en) 2010-04-01 2012-01-26 Lee Hahn Holloway Methods and apparatuses for providing internet-based proxy services
US8601114B1 (en) 2010-05-21 2013-12-03 Socialware, Inc. Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems

Family Cites Families (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7389413B2 (en) * 1998-07-23 2008-06-17 Tumbleweed Communications Corp. Method and system for filtering communication
WO2001059545A2 (en) * 2000-02-11 2001-08-16 Subramaniam Arun K System and method for providing anonymous internet transaction
US8670993B2 (en) * 2000-03-02 2014-03-11 PriceDoc, Inc. Method and system for providing an on-line healthcare open market exchange
US20050182660A1 (en) * 2000-11-29 2005-08-18 Med Bid Exchange Llc Business method and system for providing an on-line healthcare market exchange for procuring and financing medical services and products
US6546493B1 (en) * 2001-11-30 2003-04-08 Networks Associates Technology, Inc. System, method and computer program product for risk assessment scanning based on detected anomalous events
US20030220978A1 (en) * 2002-05-24 2003-11-27 Rhodes Michael J. System and method for message sender validation
US7237030B2 (en) * 2002-12-03 2007-06-26 Sun Microsystems, Inc. System and method for preserving post data on a server system
US20050015626A1 (en) * 2003-07-15 2005-01-20 Chasin C. Scott System and method for identifying and filtering junk e-mail messages or spam based on URL content
US7832012B2 (en) * 2004-05-19 2010-11-09 Computer Associates Think, Inc. Method and system for isolating suspicious email
US20060184549A1 (en) * 2005-02-14 2006-08-17 Rowney Kevin T Method and apparatus for modifying messages based on the presence of pre-selected data
US8011003B2 (en) * 2005-02-14 2011-08-30 Symantec Corporation Method and apparatus for handling messages containing pre-selected data
US8583740B2 (en) * 2005-04-25 2013-11-12 Google Inc. Actionable quarantine summary
US7854007B2 (en) * 2005-05-05 2010-12-14 Ironport Systems, Inc. Identifying threats in electronic messages
US20070027730A1 (en) * 2005-07-26 2007-02-01 Mcardle James M System and method for online collective decision making
US20080270545A1 (en) * 2007-04-27 2008-10-30 Howe Anthony C Enhanced message-id as electronic watermark for electronic mail filtering
US7840413B2 (en) * 2007-05-09 2010-11-23 Salesforce.Com, Inc. Method and system for integrating idea and on-demand services
ES2741513T3 (en) * 2007-09-07 2020-02-11 Dis Ent Llc Software based multi-channel polymorphic data obfuscation
US8719216B2 (en) 2007-10-24 2014-05-06 The Boeing Company Caching of web form post-query requests
US9529974B2 (en) * 2008-02-25 2016-12-27 Georgetown University System and method for detecting, collecting, analyzing, and communicating event-related information
US8881040B2 (en) * 2008-08-28 2014-11-04 Georgetown University System and method for detecting, collecting, analyzing, and communicating event-related information
US20100023584A1 (en) 2008-07-23 2010-01-28 Motorola, Inc. Method and system for creating a personalized social network in a telecommunication network
US20100306249A1 (en) * 2009-05-27 2010-12-02 James Hill Social network systems and methods
WO2011027352A1 (en) * 2009-09-03 2011-03-10 Mcafee, Inc. Network access control
US8935614B2 (en) 2009-12-08 2015-01-13 At&T Intellectual Property I, L.P. Method and apparatus for navigating a video program via a transcript of spoken dialog
US20110153458A1 (en) 2009-12-17 2011-06-23 Oracle International Corporation Approval workflow engine and approval framework for purchase orders
US8718621B2 (en) * 2010-02-24 2014-05-06 General Motors Llc Notification method and system
US20120323700A1 (en) * 2011-06-20 2012-12-20 Prays Nikolay Aleksandrovich Image-based captcha system
US8954519B2 (en) * 2012-01-25 2015-02-10 Bitdefender IPR Management Ltd. Systems and methods for spam detection using character histograms
US20140222702A1 (en) * 2012-03-30 2014-08-07 Taxconnections, Inc. Systems and methods for searching for professionals within an online community
US20140081652A1 (en) * 2012-09-14 2014-03-20 Risk Management Solutions Llc Automated Healthcare Risk Management System Utilizing Real-time Predictive Models, Risk Adjusted Provider Cost Index, Edit Analytics, Strategy Management, Managed Learning Environment, Contact Management, Forensic GUI, Case Management And Reporting System For Preventing And Detecting Healthcare Fraud, Abuse, Waste And Errors
US10019766B2 (en) 2013-01-31 2018-07-10 Facebook, Inc. Method, medium, and system for enabling gift card transactions
US9146943B1 (en) 2013-02-26 2015-09-29 Google Inc. Determining user content classifications within an online community
US9818129B2 (en) 2013-03-15 2017-11-14 Facebook, Inc. Methods for calculating advertisement effectiveness
US20150181383A1 (en) 2013-12-20 2015-06-25 Egan Schulz Location-based messages
US9407654B2 (en) * 2014-03-20 2016-08-02 Microsoft Technology Licensing, Llc Providing multi-level password and phishing protection

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080178298A1 (en) 2001-02-14 2008-07-24 Endeavors Technology, Inc. Intelligent network streaming and execution system for conventionally coded applications
US7586871B2 (en) 2001-05-22 2009-09-08 Bytemobile Network Services Corporation Platform and method for providing data services in a communication network
US20100106777A1 (en) 2007-01-31 2010-04-29 Nathaniel Cooper System and method for modifying web content via a content transform proxy service
US20090313318A1 (en) 2008-06-13 2009-12-17 Dye Thomas A System and method using interpretation filters for commercial data insertion into mobile computing devices
US20110125697A1 (en) 2009-11-20 2011-05-26 Avaya Inc. Social media contact center dialog system
US20120023090A1 (en) 2010-04-01 2012-01-26 Lee Hahn Holloway Methods and apparatuses for providing internet-based proxy services
US8601114B1 (en) 2010-05-21 2013-12-03 Socialware, Inc. Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
"Stateful firewall," retrieved from <<http://en.wikipedia.org/wiki/Stateful-firewall>> on Mar. 6, 2015, 5 pages.
"Stateful firewall," retrieved from > on Mar. 6, 2015, 5 pages.
Notice of Allowance issued in U.S. Appl. No. 12/785,276, mailed Jul. 31, 2013, 5 pages.
Office Action issued in U.S. Appl. No. 12/785,276, mailed Dec. 27, 2012, 10 pages.
Office Action issued in U.S. Appl. No. 12/785,276, mailed Jun. 6, 2012, 10 pages.

Cited By (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10511496B2 (en) 2010-05-21 2019-12-17 Proofpoint, Inc. Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems
US10404553B2 (en) 2010-05-21 2019-09-03 Proofpoint, Inc. Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems
US10230593B2 (en) 2010-05-21 2019-03-12 Proofpoint, Inc. Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems
US9729315B2 (en) 2012-07-16 2017-08-08 Wickr Inc. Initialization and registration of an application
US9584316B1 (en) 2012-07-16 2017-02-28 Wickr Inc. Digital security bubble
US9876772B1 (en) 2012-07-16 2018-01-23 Wickr Inc. Encrypting and transmitting data
US9628449B1 (en) 2012-07-16 2017-04-18 Wickr Inc. Multi party messaging
US9667417B1 (en) 2012-07-16 2017-05-30 Wickr Inc. Digital security bubble
US10567349B2 (en) 2013-06-25 2020-02-18 Wickr Inc. Secure time-to-live
US10129260B1 (en) 2013-06-25 2018-11-13 Wickr Inc. Mutual privacy management
US9866591B1 (en) 2013-06-25 2018-01-09 Wickr Inc. Enterprise messaging platform
US9830089B1 (en) 2013-06-25 2017-11-28 Wickr Inc. Digital data sanitization
US10396982B1 (en) 2014-02-24 2019-08-27 Wickr Inc. Key management and dynamic perfect forward secrecy
US9698976B1 (en) 2014-02-24 2017-07-04 Wickr Inc. Key management and dynamic perfect forward secrecy
US10382197B1 (en) 2014-02-24 2019-08-13 Wickr Inc. Key management and dynamic perfect forward secrecy
US9584530B1 (en) 2014-06-27 2017-02-28 Wickr Inc. In-band identity verification and man-in-the-middle defense
US9654288B1 (en) 2014-12-11 2017-05-16 Wickr Inc. Securing group communications
US9673973B1 (en) 2015-12-18 2017-06-06 Wickr Inc. Decentralized authoritative messaging
US9584493B1 (en) 2015-12-18 2017-02-28 Wickr Inc. Decentralized authoritative messaging
US9590956B1 (en) 2015-12-18 2017-03-07 Wickr Inc. Decentralized authoritative messaging
US10291607B1 (en) 2016-02-02 2019-05-14 Wickr Inc. Providing real-time events to applications
US9596079B1 (en) 2016-04-14 2017-03-14 Wickr Inc. Secure telecommunications
US9590958B1 (en) 2016-04-14 2017-03-07 Wickr Inc. Secure file transfer
US9591479B1 (en) 2016-04-14 2017-03-07 Wickr Inc. Secure telecommunications
US9602477B1 (en) 2016-04-14 2017-03-21 Wickr Inc. Secure file transfer
US11362811B2 (en) 2016-04-14 2022-06-14 Amazon Technologies, Inc. Secure telecommunications
US11405370B1 (en) 2016-04-14 2022-08-02 Amazon Technologies, Inc. Secure file transfer
US11330003B1 (en) 2017-11-14 2022-05-10 Amazon Technologies, Inc. Enterprise messaging platform
US11588848B2 (en) 2021-01-05 2023-02-21 Bank Of America Corporation System and method for suspending a computing device suspected of being infected by a malicious code using a kill switch button
US11895147B2 (en) 2021-01-05 2024-02-06 Bank Of America Corporation System and method for suspending a computing device suspected of being infected by a malicious code using a kill switch button

Also Published As

Publication number Publication date
US20150350036A1 (en) 2015-12-03
US20170142052A1 (en) 2017-05-18
US10511496B2 (en) 2019-12-17
US20140059153A1 (en) 2014-02-27
US10230593B2 (en) 2019-03-12
US8601114B1 (en) 2013-12-03
US20170141981A1 (en) 2017-05-18
US10404553B2 (en) 2019-09-03

Similar Documents

Publication Publication Date Title
US10511496B2 (en) Method, system and computer program product for interception, quarantine and moderation of internal communications of uncontrolled systems
US9954965B2 (en) Method, system and computer program product for tagging content on uncontrolled web application
US11012447B2 (en) Method, system, and storage medium for secure communication utilizing social networking sites
EP3584735B1 (en) Middle ware security layer for cloud computing services
US10021139B2 (en) Method, system and computer program product for enforcing access controls to features and subfeatures on uncontrolled web application
US8909792B2 (en) Method, system, and computer program product for identifying and tracking social identities
US9058590B2 (en) Content upload safety tool
US8301653B2 (en) System and method for capturing and reporting online sessions
US11856022B2 (en) Metadata-based detection and prevention of phishing attacks
US10356050B1 (en) Mitigation of data leakage in HTTP headers
US9699192B2 (en) True-ownership of shared data
US8756280B1 (en) System, method and computer program product for optimization of post-review process
US9251361B1 (en) Data transmission to an untrusted entity

Legal Events

Date Code Title Description
AS Assignment

Owner name: SOCIALWARE, INC., TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:COOPER, CAMERON BLAIR;REEL/FRAME:031618/0253

Effective date: 20100702

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FEPP Fee payment procedure

Free format text: PAT HOLDER NO LONGER CLAIMS SMALL ENTITY STATUS, ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: STOL); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

AS Assignment

Owner name: PROOFPOINT, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SOCIALWARE, INC.;REEL/FRAME:037615/0370

Effective date: 20160128

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

AS Assignment

Owner name: GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT, NEW YORK

Free format text: SECOND LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT;ASSIGNOR:PROOFPOINT, INC.;REEL/FRAME:057389/0642

Effective date: 20210831

Owner name: GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT, NEW YORK

Free format text: FIRST LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT;ASSIGNOR:PROOFPOINT, INC.;REEL/FRAME:057389/0615

Effective date: 20210831

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8

AS Assignment

Owner name: PROOFPOINT, INC., CALIFORNIA

Free format text: RELEASE OF SECOND LIEN SECURITY INTEREST IN INTELLECTUAL PROPERTY;ASSIGNOR:GOLDMAN SACHS BANK USA, AS AGENT;REEL/FRAME:066865/0648

Effective date: 20240321